CN103179132B - A kind of method and device detecting and defend CC attack - Google Patents

A kind of method and device detecting and defend CC attack Download PDF

Info

Publication number
CN103179132B
CN103179132B CN201310121695.4A CN201310121695A CN103179132B CN 103179132 B CN103179132 B CN 103179132B CN 201310121695 A CN201310121695 A CN 201310121695A CN 103179132 B CN103179132 B CN 103179132B
Authority
CN
China
Prior art keywords
web page
fragile
leading
request
web
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310121695.4A
Other languages
Chinese (zh)
Other versions
CN103179132A (en
Inventor
姚轶崭
叶润国
胡卫华
张利
陈利
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Venusense Information Security Technology Co Ltd
CHINA INFORMATION TECHNOLOGY SECURITY EVALUATION CENTER
Original Assignee
Beijing Venusense Information Security Technology Co Ltd
CHINA INFORMATION TECHNOLOGY SECURITY EVALUATION CENTER
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Venusense Information Security Technology Co Ltd, CHINA INFORMATION TECHNOLOGY SECURITY EVALUATION CENTER filed Critical Beijing Venusense Information Security Technology Co Ltd
Priority to CN201310121695.4A priority Critical patent/CN103179132B/en
Publication of CN103179132A publication Critical patent/CN103179132A/en
Application granted granted Critical
Publication of CN103179132B publication Critical patent/CN103179132B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The invention discloses a kind of method and the device that detect and defend CC attack, based on context, fragile Web page is protected, in this technical scheme, first determine the leading Web page of " fragile Web page " and the correspondence that Web site may be attacked by CC; Record the access situation of each Web client to described leading Web page, detect the average response time of the access request of each fragile Web page, when average response time is greater than setting threshold, then judge to detect that CC attacks, for each access request for each fragile Web page that each Web client sends, in test access request, whether this Web client accessed the leading Web page of this fragile Web page, if it is allow this access request to pass through, otherwise abandon this access request for fragile Web page.The present invention configures simply, and resource consumption is little, effectively can detect and defend CC to attack.

Description

A kind of method and device detecting and defend CC attack
Technical field
The present invention relates to technical field of network security, being specifically related to a kind of method and the device detecting and defend CC attack for realizing Web secure access.
Background technology
HTTP(HyperTextTransferProtocol, HTML (Hypertext Markup Language)) be one of agreement that current the Internet is most widely used.Web(webpage as one of the Internet main business) business obtains very fast development at present, and Web service, while bringing great convenience to people's obtaining information, also becomes the target of attack that hacker pays close attention to most.At present, for the attack pattern of Web service application layer, mainly comprise HTTPFlood(HTML (Hypertext Markup Language) and flood) attack and CC attack.
CC(ChallengeCollapsar, literal translation is Challenging black hole, but be usually directly expressed as CC to attack) the application layer DDoS(DistributedDenialofService of primary challenge target of attacking that to be a kind of with Website page be, distributed denial of service) attack, its object of attack selected needs the Web of more resource overhead to apply in the open page of Web server, such as, need to take Web server a large amount of CPU(central processing unit) resource carries out the page of computing or needs the application of a large amount of accessing database.The target that CC attacks is positioned the page needing in website to carry out dynamically generation and database access usually, such as, with the page resource that .asp .jsp .php .cgi .dll etc. end up.CC attacks the HTTP flow great majority produced and meets http protocol specification, legacy network safety means cannot identify it and filter, Web server then needs to consume a large amount of computational resources to process these Web application layer attack flows, Web server cannot be responded normal Web service request, thus cause Denial of Service attack.
At present, the detection of attack CC and defence method are mainly the method adopting network site code to optimize, such as, Cookie(buffer memory is adopted in Web code) active identification and certification are carried out to visitor, or by the page that access request reorientation method avoids the consumption of assailant's direct access resources too much.But these methods all need initiatively to revise page code, and in most of the cases, the cost possibly cannot modifying or revise code to code is too large, causes said method existing defects when detecting and defence CC attacks.Therefore, need a kind ofly do not revising the solution that can detect and defend CC to attack in page code situation.
Summary of the invention
Technical problem to be solved by this invention is, a kind of method providing detection and defence CC to attack and device, detects for solving current web services device and defends needing existing for CC attack to revise web page code, the problem that resource overhead is larger.
In order to solve the problem, the present invention proposes a kind of method detecting and defend CC and attack, comprising the following steps:
Step one, determines protected Web site may be attacked the page of utilization as " fragile Web page " by CC, and determines to comprise the leading Web page being hyperlinked to each fragile Web page;
Step 2, records the access situation of each Web client to described leading Web page, detects the average response time of the access request of each fragile Web page, when average response time is greater than setting threshold, then judges to detect that CC attacks, performs step 3; Otherwise continue to perform step 2;
Step 3, for each access request for each fragile Web page that each Web client sends, whether this Web client detected wherein accessed the leading Web page of this fragile Web page, if it is allow this access request to pass through, otherwise abandon this access request for fragile Web page.
Preferably, adopt manual input method determination resource consumption more in described step one thus the page of utilization may be attacked as described fragile Web page by CC, and determining the leading Web page that each fragile Web page is corresponding; Or, adopt spiders to scan protected Web site in described step one, find those resource consumptions more thus may be attacked by CC the fragile Web page utilized, and comprising the leading Web page being hyperlinked to these fragile Web page.
Preferably, in described step 2, record the access situation of each Web client to leading Web page, it is the access request for each leading Web page, record the client ip of this leading Web page access request, Web page link URL and request successful instance, form the Request Log of leading Web page;
Preferably, in described step 2, detect the average response time of the access request of each fragile Web page, that monitoring Web server is to the response time value situation of change of the access request of each fragile Web page, find that the average response time value of Web server to fragile Web page exceedes setting threshold if detected, then judge that there occurs CC attacks.
Preferably, described step 3 specifically comprises: in a fixed time section, to each access request for described fragile Web page, first from the Referer field of HTTP access request message, extract the URL value of leading Web page and the IP address of Web client; Then the Request Log of described leading Web page is retrieved, if find that the access request of fragile Web page does not comprise the URL information of leading Web page, or find that this fragile Web page access request does not exist the access behavior to relevant leading Web page request, or this Web client is to the access request results failure of leading Web page, then judge that the access request of this fragile Web page is as CC attack stream, abandons the access request of this Web client for this fragile Web page; Otherwise, judge that it is from normal web access client, forward this fragile Web page request to protected Web server.
Preferably, described step 3 also comprises following sub-step:
For the access request of each leading Web page, record the client ip of this leading Web page access request, Web page URL and request successful instance, form the Request Log of leading Web page;
In statistics a period of time, Web server is for the average response time of each fragile Web page, if find that the average response time for each fragile Web page does not all exceed setting threshold, then represent that the CC for Web server attacks end, jump to step 2 to perform, otherwise continue to perform step 3.
Preferably, the recording mode of the Request Log of described leading Web page can adopt hash table to realize or adopt bitmap to realize, or adopts Burundi filter to realize.
Preferably, described bitmap recording mode, is adopt leading Web page URL and Web client IP address to be the input of bitmap hash function, finds lattice record access result corresponding in bitmap according to Hash functional value; Described Burundi filter recording mode, is adopt leading Web page URL and Web client IP address as the input of hash function, defines K the hash function be mutually independent, obtain K Hash functional value; K position corresponding in the filter bit string vector of Burundi is arranged record access result respectively.
The present invention also provides a kind of device detecting and defend CC and attack, and comprising:
Crucial Web page information collection module, Web page requests classification module, leading Web page Request Log module, fragile Web page monitoring module, CC attack defending module, Web page request forward module and Web page response forwarding module, wherein:
Described crucial Web page information collection module, for determining protected Web site may be attacked the page of utilization as " fragile Web page " by CC, and determines to comprise the leading Web page being hyperlinked to each fragile Web page;
Described Web page requests classification module, for receiving the Web page access request from Web client, and access request is divided three classes: for the access request of fragile Web page, for the access request of leading Web page, the access request of other Web page; The access request of fragile Web page is given the process of fragile Web page request monitoring module; The access request of leading Web page is given leading Web page Request Log resume module; The access request of other Web page is directly given Web page request forward resume module;
Described leading Web page Request Log module, for receiving the access request message of the leading Web page come from Web page requests classification module forwards on the one hand, extracting and recording the URL of Web page and the IP address of Web client; Receive on the other hand and record the leading Web page response time from Web page response forwarding module; Generate leading Web page Request Log;
Described fragile Web page monitoring module, for in the CC attack detecting stage, receive the fragile Web page response time of fragile Web page request message and the Web page response forwarding module forwarding come from Web page requests classification module forwards, calculate the current average response time of each fragile Web page:
When average response time is greater than setting threshold, then judge to detect that CC attacks, from the fragile Web page request message that Web page requests classification module forwards is come, extract leading Web page URL information and Web client IP address, and search the log recording that leading Web page Request Log module provides, judge whether this fragile Web page request exists successful leading Web page request according to lookup result, if existed, then by this fragile Web page request forward to Web page request forward module, be if there is no then transmitted to CC attack defending module;
Be less than or equal to setting threshold when average response time is greater than setting threshold, then direct by this fragile Web page request forward to Web page request forward module, continue to calculate the current average response time of each fragile Web page;
Described CC attack defending module, for receive from fragile Web page monitoring module forward come be judged as the fragile Web page request that there is not leading Web page request, according to defence policies, current limliting or direct discard processing are carried out to access request;
Described Web page request forward module, for receiving by the access request for leading Web page of leading Web page Request Log module forwards, receive the access request for fragile Web page that fragile Web page monitoring module forwards, receive the Web page request of other Web page come by Web page requests classification module forwards, above-mentioned access request is transmitted to shielded Web server;
Described Web page response forwarding module, for receiving the Web page response message from protected Web server, is then transmitted to corresponding Web client; Meanwhile, for leading Web page response message, extract Web page response results and response time and be transmitted to leading Web page Request Log module; For fragile Web page response message, extract the Web page response time and be transmitted to fragile Web page monitoring module.
Preferably; described crucial Web page information collection module; the fragile Web page information that attacked by CC on protected website is collected by manual type or spiders mode; and the leading Web page information that fragile Web page is relevant, for Web page requests classification module, leading Web page Request Log module and fragile Web page monitoring module.
Preferably, described leading Web page Request Log module, the recording mode for the Request Log generating described leading Web page can adopt hash table to realize or adopt bitmap to realize, or adopts Burundi filter to realize; Described bitmap recording mode, is adopt leading Web page URL and Web client IP address to be the input of bitmap hash function, finds lattice record access result corresponding in bitmap according to Hash functional value; Described Burundi filter recording mode, is adopt leading Web page URL and Web client IP address as the input of hash function, defines K the hash function be mutually independent, obtain K Hash functional value; K position corresponding in the filter bit string vector of Burundi is arranged record access result respectively.
Provided by the present invention being applicable to, is configured at the detection of Web security gateway and the method and apparatus of defence CC attack, and tool has the following advantages:
1) because being configured between client and server, not needing the application code by amendment Web server end, therefore disposing and implementing simple;
2) the whole CC for the Web server detection of attacking and defence are that Web application firewall before being deployed in Web server is implemented, and it can't bring resource overhead to bear to Web server;
3) without the need to revising the HTTP flow of Web client to Web server, therefore, good network throughput can be accomplished, thus guaranteeing web access service quality;
4) bitmap and BloomFilter(Burundi filter can be adopted) realize, to the storage of leading Web page Visitor Logs, greatly to save memory space.
Accompanying drawing explanation
Accompanying drawing 1 is the network site figure of Web security gateway of the present invention;
Accompanying drawing 2 is CC attack detecting of the present invention and defence installation module map;
Accompanying drawing 3 is the flow chart of CC attack detecting of the present invention and defence method;
Accompanying drawing 4 is for being used for recording the bitmap schematic diagram of leading Web page access request daily record;
Accompanying drawing 5 is for being used for recording Burundi schematic diagram of leading Web page access request daily record.
Embodiment
For making the object, technical solutions and advantages of the present invention clearly, below in conjunction with accompanying drawing, the present invention is described in further detail.
The technology that existing defence CC attacks needs amendment code or the amendment page mostly, not revising in page code situation and can detecting and defend CC to attack, becomes a comparatively ideal solution if can realize.Therefore, present invention focuses on how to detect that the CC for Web server attacks, and normal web access flow and improper CC attack traffic can be distinguished when defending CC to attack, while carrying out effectively filtering to CC attack traffic, ensure the web access service quality of normal users to greatest extent.
Technical scheme of the present invention, when detecting and defence CC attacks, mainly make use of CC attack traffic and normal web access flow in the distinct feature of access context (Context):
There is access context in normal web access flow, namely normally web access is all from a start page (such as homepage), then follows certain Web page access path and just can have access to the larger Web page of some resource consumption (being usually subject to the page that CC attacks);
And CC attack lacks access context, it is all generally that directly the Web page larger to some resource consumption carries out single access, and does not follow normal Web page access path.
Therefore, when detecting and defence CC attacks, by checking whether each Web page request exists access context to judge whether it belongs to normal web access, thus can effectively identify CC attack stream, thus CC attack traffic is effectively filtered.
Meanwhile, for avoiding revising the page, the scheme that this detection and defence CC attack is configurable between Web client and Web server, such as realizes on Web security gateway.So just namely can be blocked or abandon, available protecting Web application system entering Web server in the access request of CC attack stream.
As shown in Figure 1, Web security gateway can between Web client and protected Web application system.Detection of the present invention and defence CC attack method are adapted at Web security gateway realizes.Wherein, described Web client may be standard web browsers, also may be used for the instrument mobilizing CC to attack.Web client is communicated with shielded Web application system by http protocol.Communication between Web client and shielded Web application system is all forwarded by Web security gateway.Effective detection and defence CC attack is realized in repeating process.
As shown in Figure 2, the module map of device for detecting and defend CC to attack be configurable on Web security gateway is given.The device that described detection and defence CC attack, comprising: crucial Web page information collection module, Web page requests classification module, leading Web page Request Log module, fragile Web page monitoring module, CC attack defending module, Web page request forward module and Web page response forwarding module.Wherein:
Described crucial Web page information collection module; for being collected the fragile Web page information that attacked by CC in protected Web site by manual type or spiders mode; and the leading Web page information that fragile Web page is relevant, for leading Web page Request Log module and fragile Web page monitoring module.
Described Web page requests classification module, for receiving the Web page access request from Web client, and is divided three classes Web page access request: for the access request of fragile Web page; For the access request of leading Web page; The access request of other Web page, this type of access request is expressed as the access request of non-key Web page in fig. 2; Access request for difference classification adopts different processing modes: for the access request of fragile Web page, then give the process of fragile Web page request monitoring module; For the access request of leading Web page, then give leading Web page Request Log resume module; For the access request of non-key Web page, then directly give Web page request forward resume module.
Described leading Web page Request Log module, for receiving the access request message of the leading Web page come from Web page requests classification module forwards on the one hand, extract and record the URL(URL(Uniform Resource Locator) of Web page, UniformResourceLocator) and the IP address of Web client; Receive on the other hand and record the leading Web page response time from Web page response forwarding module; Generate leading Web page Request Log.
Described fragile Web page monitoring module, for in the CC attack detecting stage, receive the fragile Web page response time of fragile Web page request message and the Web page response forwarding module forwarding come from Web page requests classification module forwards, calculate the current average response time of each fragile Web page;
Described fragile Web page monitoring module, for in the CC attack defending stage, receive the fragile Web page request message come from Web page requests classification module forwards, extract the leading Web page URL information and Web client IP address that are included in fragile Web page request message, and search the log recording that leading Web page Request Log module provides, judge whether this fragile Web page request exists successful leading Web page request according to lookup result, if existed, then forward this fragile Web page request to Web page request forward module, otherwise be transmitted to CC attack defending module.
Described CC attack defending module, for receive from fragile Web page monitoring module forward come be judged as the fragile Web page request that there is not leading Web page request, current limliting or direct discard processing can be carried out to access request according to defence policies.
Described Web page request forward module; for receiving the Web page request for non-key Web page come by Web page requests classification module forwards; receive by the access request for leading Web page of leading Web page Request Log module forwards; receive the access request for fragile Web page that fragile Web page monitoring module forwards, above-mentioned access request is transmitted to shielded Web server.
Described Web page response forwarding module, for receiving the Web page response message from protected Web server, is then transmitted to corresponding Web client; Simultaneously:
For leading Web page response message, extract Web page response results and response time and be transmitted to leading Web page Request Log module;
For fragile Web page response message, extract the Web page response time and be transmitted to fragile Web page monitoring module.
As shown in Figure 3, give the flow chart of the method implementing CC attack detecting of the present invention and defence, the method may operate on Web security gateway, comprises the steps:
Step one: find those resource consumptions in protected Web site more thus may be attacked by CC the fragile Web page utilized, and comprising the leading Web page information being hyperlinked to these fragile Web page;
Step 2: record the access situation of each Web client to leading Web page, simultaneously, monitor the average response time of each fragile Web page request, when detecting that average response time is greater than setting threshold (the average response value specified multiple such as pre-set), then judge to detect that CC attacks, enter step 3 to perform, otherwise continue to perform step 2;
Step 3: the request of each Web client being mail to each fragile Web page, detects the leading Web page whether this Web client accessed this fragile Web page, if it is allows to pass through, otherwise abandon the access request of this fragile Web page.
HTTPReferer is a part of header, when browser sends request to web server time, generally can bring Referer, Tell server I from which page link come, server take this to obtain some information for the treatment of.
Can comprise when described step 3 is specifically implemented:
In a fixed time section, to each access request for fragile Web page, from the Referer field of HTTP request message, first extract URL value and the Web client IP address of leading Web page; Then leading Web page Request Log is retrieved, if find that fragile Web page request does not comprise leading Web page URL information, or find that this fragile Web page access request does not exist the access behavior to relevant leading Web page request, or this Web client is to the access request results failure of leading Web page, then judge that this fragile Web page request is as CC attack stream, abandons this fragile Web page request; Otherwise, judge that it is from normal web access client, forward this fragile Web page request to protected Web server.
Preferably, described detection and defence CC attack method, described step 3 also can comprise following sub-step:
For each leading Web page request, record the client ip of this leading Web page request, Web page URL and request successful instance, form leading Web page Request Log;
In statistics a period of time, Web server is for the average response time of each fragile Web page, if find that the average response time for each fragile Web page does not all exceed the average response time specified multiple pre-set, then represent that the CC for Web server attacks end, jump to step 2 to perform, otherwise continue to perform step 3.
In the step one implementing CC attack detecting of the present invention and defence method, the acquisition for fragile Web page and leading Web page information can adopt the artificial method inputted, and also can adopt the method for spiders to obtain.
For manual input approach, need corresponding artificial input interface or configuration file, the information of described fragile Web page and leading Web page is determined in configuration;
For spiders method, then need in CC attack detecting and prevent before the superior, first automatic scan and page download are carried out to shielded Web server, find the Web page that those Web page response time is long, the Web page may attacked when these Web page are exactly CC attack, because it, by consuming the too much resource of Web server, is determined and records these fragile Web page; After have found fragile Web page, obtain by searching Web reptile access path and record the leading Web page be associated.
In the step 2 of said method, for each leading Web page request, need to record the access situation of each Web client to leading Web page, record content comprises client ip, the Web page URL of leading Web page request and asks successful instance, generates leading Web page access log.When defending CC to attack, by searching leading Web page access log, fragile Web page monitoring module judges whether this fragile Web page access request exists successful leading Web page request.
When recording the access situation of Web client to leading Web page, the recording modes such as hash table, bitmap or Burundi filter can be adopted to carry out record.
Record the access situation of each Web client to these leading Web page according to conventional hash table method, during record with Web client IP and leading Web page URL for key assignments, have recorded the leading web access response time in each item in hash table.This advantage of Web page access log recording mode realized based on conventional hash table method is that recorded information is comparatively accurate, and shortcoming needs to consume larger memory space, and this will be more serious for problem the larger Web site of visit capacity.
In order to alleviate Web security gateway record and store these pressure for leading Web page access log, can also adopt bit map method to record in technical scheme of the present invention and store the access situation of each Web client to leading Web page, and the fragile Web page monitoring module of same permission can this leading Web page log recording of quick-searching when defending CC to attack.
The bitmap being used for recording leading Web page access situation of the present invention as shown in Figure 4.Bitmap shown in Fig. 4, adopt row and column addressing, each lattice in bitmap are a bit, the hash function relevant to bitmap be input as leading Web page URL and Web client IP address, the hash output valve of hash function is bitmap line width and col width sum (all calculating by number of bits).
When recording the access situation of each Web client to leading Web page, be first clearly zero by lattice each in bitmap.Then, for the access request of each Web client to leading Web page, extract the input as bitmap hash function of leading Web page URL and Web client IP address, obtain a Hash functional value, then by the line width of bitmap and col width this hashed value be divided into corresponding two parts and be converted to integer respectively, respectively with these two integers for row-coordinate and row coordinate to find in bitmap corresponding lattice, the bit of these lattice of juxtaposition is 1.
When CC attack defending, to the access request for fragile Web page from client, the leading Web page URL of this fragile Web page association is extracted from access request message, then, input for bitmap hash function with leading Web page URL and Web client IP address, find lattice corresponding in bitmap, if the bit value in lattice is 1 according to Hash functional value, then judge that this fragile Web page request exists successful leading Web page access request, otherwise be judged to be CC attack stream.
Adopting bitmap to record and store each Web client for the advantage of the access situation of leading Web page is can reduce memory space greatly, shortcoming is, when the large and Web client quantity of fragile Web page quantity is also large, be easy to occur the lattice conflict from corresponding to the leading Web page access of different Web client, thus cause judging by accident when CC attack defending, the CC attack traffic that originally should filter out is let pass.
In order to alleviate this problem, further, Burundi filter (BloomFilter) can be adopted to realize record to the access situation of leading Web page and storage.As shown in Figure 5, BloomFilter be one compression data structure, be used for expression one set in all elements, and support searching element in this set, namely can answer " certain element belong to certain set? " problem.
Basic BloomFilter uses and grows for the bit string V (bitVector) of m carrys out expression data element set A={a 1, a 2... a n.Be provided with the hash function { h that k has uniform distribution properties i, i=1 ..., k, meets following condition: ∀ x ∈ A , h i ( x ) ∈ { 1,2 , . . . , m } , Then:
1. set expression method: for arbitrary element a in set i, use a predefined k hash function successively to a icarry out Hash, obtain k cryptographic Hash { b 1, b 2... b k, b i∈ [1m], then successively by the b of bit string V 1, b 2... b kposition is set to 1.BloomFilter data presentation technique essence adopts multiple short label to represent an element.
2. set element lookup method: when needing to judge whether a certain element a belongs to the set that above-mentioned BloomFilter represents, method is as follows: 1) use a predefined k hash function to carry out Hash to element a successively, obtain k cryptographic Hash { b 1, b 2... b k, b i∈ [1m]; Then the b of bit string V is judged 1, b 2... b kwhether position is all 1, if be all 1, then represents that this element is in set, otherwise represent that this element is not in set.
Realize may there is wrong report when set element is searched based on basic BloomFilter, but, by the length m controlling bit string V, rate of false alarm can be controlled within acceptable scope.
In CC attack of the present invention and defence method, in order to adopt BloomFilter to record and store the access situation of Web client to leading Web page, using the input as the hash function of BloomFilter of leading Web page URL and Web client IP address, defining k in K(accompanying drawing 5 is 3) the individual hash function be mutually independent.
When recording the access situation of each Web client to leading Web page, first, be clearly zero by the bit string vector of BloomFilter; Then, for the access request of each Web client to leading Web page, extract leading Web page URL and Web client IP address as the input of K hash function, obtain K Hash functional value; Afterwards, K position corresponding in BloomFilter bit string vector is set to 1 respectively.
When carrying out CC attack defending, to the access request for fragile Web page from Web client, the leading Web page URL of this fragile Web page association is extracted from access request message, again with the input that leading Web page URL and Web client IP address are K hash function, obtain K Hash functional value, if the bit corresponding to this K Hash functional value is all 1, then judge that this fragile Web page request exists successful leading Web page access request, otherwise be judged to be that this Web client is CC attack stream for the access request of this fragile Web page.
When judging certain access request for fragile Web page as CC attack stream, this Web page request will be given CC attack defending module and be processed, and it can carry out current limliting according to security strategy to it or directly abandon.
Further, in the CC attack defending stage, technical scheme of the present invention, also can detect this CC attack in real time whether to continue, if find that great majority all exist leading Web page for the access request of fragile Web page, and Web server is to the response time of fragile Web page in the scope of license, then conversion enters into the CC attack detecting stage automatically, only carries out the detection of CC attack and leading Web page access request log recording.
The foregoing is only embodiments of the invention, be not limited to the present invention, for a person skilled in the art, the present invention can have various modifications and variations.Within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within right of the present invention.

Claims (10)

1. detect and defend the method that CC attacks, it is characterized in that, comprise the following steps:
Step one, determines protected Web site may be attacked the page of utilization as " fragile Web page " by CC, and determines to comprise the leading Web page being hyperlinked to each fragile Web page;
Step 2, records the access situation of each Web client to described leading Web page, detects the average response time of the access request of each fragile Web page, when average response time is greater than setting threshold, then judges to detect that CC attacks, performs step 3; Otherwise continue to perform step 2;
Step 3, for each access request for each fragile Web page that each Web client sends, whether this Web client detected wherein accessed the leading Web page of this fragile Web page, if it is allow this access request to pass through, otherwise abandon this access request for fragile Web page.
2. the method detecting and defend CC and attack as claimed in claim 1, is characterized in that:
Adopt manual input method determination resource consumption more in described step one thus the page of utilization may be attacked as described fragile Web page by CC, and determining the leading Web page that each fragile Web page is corresponding; Or,
Adopt spiders to scan protected Web site in described step one, find those resource consumptions more thus may be attacked by CC the fragile Web page utilized, and comprising the leading Web page being hyperlinked to these fragile Web page.
3. the method detecting and defend CC and attack as claimed in claim 1, is characterized in that:
In described step 2, record the access situation of each Web client to leading Web page, be the access request for each leading Web page, record the client ip of this leading Web page access request, Web page link URL and request successful instance, form the Request Log of leading Web page;
In described step 2, detect the average response time of the access request of each fragile Web page, that monitoring Web server is to the response time value situation of change of the access request of each fragile Web page, find that the average response time value of Web server to fragile Web page exceedes setting threshold if detected, then judge that there occurs CC attacks.
4. the method detecting and defend CC and attack as claimed in claim 3, it is characterized in that, described step 3 specifically comprises:
In a fixed time section, to each access request for described fragile Web page, first from the Referer field of HTTP access request message, extract the URL value of leading Web page and the IP address of Web client;
Then the Request Log of described leading Web page is retrieved, if find that the access request of fragile Web page does not comprise the URL information of leading Web page, or find that this fragile Web page access request does not exist the access behavior to relevant leading Web page request, or this Web client is to the access request results failure of leading Web page, then judge that the access request of this fragile Web page is as CC attack stream, abandons the access request of this Web client for this fragile Web page; Otherwise, judge that it is from normal web access client, forward this fragile Web page request to protected Web server.
5. the method detecting and defend CC and attack as claimed in claim 4, it is characterized in that, described step 3 also comprises following sub-step:
For the access request of each leading Web page, record the client ip of this leading Web page access request, Web page URL and request successful instance, form the Request Log of leading Web page;
In statistics a period of time, Web server is for the average response time of each fragile Web page, if find that the average response time for each fragile Web page does not all exceed setting threshold, then represent that the CC for Web server attacks end, jump to step 2 to perform, otherwise continue to perform step 3.
6. the method that the detection as described in claim 3,4 or 5 and defence CC attack, is characterized in that:
The recording mode of the Request Log of described leading Web page can adopt hash table to realize or adopt bitmap to realize, or adopts Burundi filter to realize.
7. the method detecting and defend CC and attack as claimed in claim 6, is characterized in that:
Described bitmap recording mode, is adopt leading Web page URL and Web client IP address to be the input of bitmap hash function, finds lattice record access result corresponding in bitmap according to Hash functional value;
Described Burundi filter recording mode, is adopt leading Web page URL and Web client IP address as the input of hash function, defines K the hash function be mutually independent, obtain K Hash functional value; K position corresponding in the filter bit string vector of Burundi is arranged record access result respectively.
8. detect and defend the device that CC attacks, it is characterized in that, comprising:
Crucial Web page information collection module, Web page requests classification module, leading Web page Request Log module, fragile Web page monitoring module, CC attack defending module, Web page request forward module and Web page response forwarding module, wherein:
Described crucial Web page information collection module, for determining protected Web site may be attacked the page of utilization as " fragile Web page " by CC, and determines to comprise the leading Web page being hyperlinked to each fragile Web page;
Described Web page requests classification module, for receiving the Web page access request from Web client, and access request is divided three classes: for the access request of fragile Web page, for the access request of leading Web page, the access request of other Web page; The access request of fragile Web page is given the process of fragile Web page request monitoring module; The access request of leading Web page is given leading Web page Request Log resume module; The access request of other Web page is directly given Web page request forward resume module;
Described leading Web page Request Log module, for receiving the access request message of the leading Web page come from Web page requests classification module forwards on the one hand, extracting and recording the URL of Web page and the IP address of Web client; Receive on the other hand and record the leading Web page response time from Web page response forwarding module; Generate leading Web page Request Log;
Described fragile Web page monitoring module, for in the CC attack detecting stage, receive the fragile Web page response time of fragile Web page request message and the Web page response forwarding module forwarding come from Web page requests classification module forwards, calculate the current average response time of each fragile Web page:
When average response time is greater than setting threshold, then judge to detect that CC attacks, from the fragile Web page request message that Web page requests classification module forwards is come, extract leading Web page URL information and Web client IP address, and search the log recording that leading Web page Request Log module provides, judge whether this fragile Web page request exists successful leading Web page request according to lookup result, if existed, then by this fragile Web page request forward to Web page request forward module, be if there is no then transmitted to CC attack defending module;
Be less than or equal to setting threshold when average response time is greater than setting threshold, then direct by this fragile Web page request forward to Web page request forward module, continue to calculate the current average response time of each fragile Web page;
Described CC attack defending module, for receive from fragile Web page monitoring module forward come be judged as the fragile Web page request that there is not leading Web page request, according to defence policies, current limliting or direct discard processing are carried out to access request;
Described Web page request forward module, for receiving by the access request for leading Web page of leading Web page Request Log module forwards, receive the access request for fragile Web page that fragile Web page monitoring module forwards, receive the Web page request of other Web page come by Web page requests classification module forwards, above-mentioned access request is transmitted to shielded Web server;
Described Web page response forwarding module, for receiving the Web page response message from protected Web server, is then transmitted to corresponding Web client; Meanwhile, for leading Web page response message, extract Web page response results and response time and be transmitted to leading Web page Request Log module; For fragile Web page response message, extract the Web page response time and be transmitted to fragile Web page monitoring module.
9. the device detecting and defend CC and attack as claimed in claim 8, is characterized in that,
Described crucial Web page information collection module; the fragile Web page information that attacked by CC on protected website is collected by manual type or spiders mode; and the leading Web page information that fragile Web page is relevant, for Web page requests classification module, leading Web page Request Log module and fragile Web page monitoring module.
10. the device detecting and defend CC and attack as claimed in claim 8, is characterized in that,
Described leading Web page Request Log module, the recording mode for the Request Log generating described leading Web page can adopt hash table to realize or adopt bitmap to realize, or adopts Burundi filter to realize;
Described bitmap recording mode, is adopt leading Web page URL and Web client IP address to be the input of bitmap hash function, finds lattice record access result corresponding in bitmap according to Hash functional value;
Described Burundi filter recording mode, is adopt leading Web page URL and Web client IP address as the input of hash function, defines K the hash function be mutually independent, obtain K Hash functional value; K position corresponding in the filter bit string vector of Burundi is arranged record access result respectively.
CN201310121695.4A 2013-04-09 2013-04-09 A kind of method and device detecting and defend CC attack Active CN103179132B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310121695.4A CN103179132B (en) 2013-04-09 2013-04-09 A kind of method and device detecting and defend CC attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310121695.4A CN103179132B (en) 2013-04-09 2013-04-09 A kind of method and device detecting and defend CC attack

Publications (2)

Publication Number Publication Date
CN103179132A CN103179132A (en) 2013-06-26
CN103179132B true CN103179132B (en) 2016-03-02

Family

ID=48638755

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310121695.4A Active CN103179132B (en) 2013-04-09 2013-04-09 A kind of method and device detecting and defend CC attack

Country Status (1)

Country Link
CN (1) CN103179132B (en)

Families Citing this family (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103916379B (en) * 2013-12-04 2017-07-18 哈尔滨安天科技股份有限公司 A kind of CC attack recognition method and system based on high frequency statistics
CN104009983B (en) * 2014-05-14 2017-03-29 杭州安恒信息技术有限公司 Detection method and its detecting system that a kind of CC is attacked
CN104113525A (en) * 2014-05-23 2014-10-22 中国电子技术标准化研究院 Method and apparatus for defending resource consumption type Web attacks
CN104320400B (en) * 2014-10-31 2017-10-03 北京神州绿盟信息安全科技股份有限公司 Web vulnerability scanning method and devices
CN105591832B (en) * 2014-11-13 2019-12-10 腾讯数码(天津)有限公司 application layer slow attack detection method and related device
CN105991511A (en) * 2015-01-27 2016-10-05 阿里巴巴集团控股有限公司 Method and device for detecting CC attack
CN104618404A (en) * 2015-03-10 2015-05-13 网神信息技术(北京)股份有限公司 Processing method, device and system for preventing network attack to Web server
CN104901962B (en) * 2015-05-28 2018-01-05 北京椒图科技有限公司 A kind of detection method and device of web page attacks data
CN106656912B (en) * 2015-10-28 2020-03-20 华为技术有限公司 Method and device for detecting denial of service attack
CN105553974A (en) * 2015-12-14 2016-05-04 中国电子信息产业集团有限公司第六研究所 Prevention method of HTTP slow attack
CN106997431B (en) * 2016-01-22 2020-09-25 阿里巴巴集团控股有限公司 Data processing method and device
CN106101071B (en) * 2016-05-27 2019-04-05 杭州安恒信息技术股份有限公司 A kind of method of the defence link drain type CC attack of Behavior-based control triggering
CN105933324A (en) * 2016-06-03 2016-09-07 中国科学院信息工程研究所 Method and system for analyzing skip chains and tracing sources online in real time based on network flows
CN106161451B (en) * 2016-07-19 2019-09-17 青松智慧(北京)科技有限公司 Defend the method, apparatus and system of CC attack
CN106411892B (en) * 2016-09-28 2019-08-30 广州华多网络科技有限公司 The transmission of DDOS system address information, access request filter method, device and server
CN110213208A (en) * 2018-05-09 2019-09-06 腾讯科技(深圳)有限公司 A kind of method and apparatus and storage medium of processing request
CN109547434B (en) * 2018-11-22 2021-01-01 北京知道创宇信息技术股份有限公司 Method and device for distinguishing crawler attack from CC attack, electronic equipment and storage medium
CN110519266B (en) * 2019-08-27 2021-04-27 四川长虹电器股份有限公司 Cc attack detection method based on statistical method
CN111431942B (en) * 2020-06-10 2020-09-15 杭州圆石网络安全技术有限公司 CC attack detection method and device and network equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101030889A (en) * 2007-04-18 2007-09-05 杭州华为三康技术有限公司 Method and apparatus against attack
CN101478540A (en) * 2008-12-31 2009-07-08 成都市华为赛门铁克科技有限公司 Method and apparatus for defending and challenge collapsar attack
CN101969445A (en) * 2010-11-03 2011-02-09 中国电信股份有限公司 Method and device for defensing DDoS (Distributed Denial of Service) and CC (Connections Flood) attacks
CN102571547A (en) * 2010-12-29 2012-07-11 北京启明星辰信息技术股份有限公司 Method and device for controlling hyper text transport protocol (HTTP) traffic

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100370757C (en) * 2004-07-09 2008-02-20 国际商业机器公司 Method and system for dentifying a distributed denial of service (DDOS) attack within a network and defending against such an attack

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101030889A (en) * 2007-04-18 2007-09-05 杭州华为三康技术有限公司 Method and apparatus against attack
CN101478540A (en) * 2008-12-31 2009-07-08 成都市华为赛门铁克科技有限公司 Method and apparatus for defending and challenge collapsar attack
CN101969445A (en) * 2010-11-03 2011-02-09 中国电信股份有限公司 Method and device for defensing DDoS (Distributed Denial of Service) and CC (Connections Flood) attacks
CN102571547A (en) * 2010-12-29 2012-07-11 北京启明星辰信息技术股份有限公司 Method and device for controlling hyper text transport protocol (HTTP) traffic

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CC攻击检测方法研究;陈仲华等;《电信科学》;20090515(第5期);全文 *

Also Published As

Publication number Publication date
CN103179132A (en) 2013-06-26

Similar Documents

Publication Publication Date Title
CN103179132B (en) A kind of method and device detecting and defend CC attack
CN106464577B (en) Network system, control device, communication device and communication control method
KR101391781B1 (en) Apparatus and Method for Detecting HTTP Botnet based on the Density of Web Transaction
CN101924757B (en) Method and system for reviewing Botnet
CN102571547B (en) Method and device for controlling hyper text transport protocol (HTTP) traffic
US7854001B1 (en) Aggregation-based phishing site detection
CN103929440B (en) Webpage tamper resistant device and its method based on web server cache match
EP2863611B1 (en) Device for detecting cyber attack based on event analysis and method thereof
Unger et al. Shpf: Enhancing http (s) session security with browser fingerprinting
CN101505247A (en) Detection method and apparatus for number of shared access hosts
CN105933268A (en) Webshell detection method and apparatus based on total access log analysis
CN104301180B (en) A kind of service message processing method and equipment
KR101689299B1 (en) Automated verification method of security event and automated verification apparatus of security event
CN103152325B (en) Prevent the method by sharing mode access the Internet and device
CN106656922A (en) Flow analysis based protective method and device against network attack
CN108768921B (en) Malicious webpage discovery method and system based on feature detection
CN102984003A (en) Network access detection system and network access detection method
Torrano-Gimenez et al. A self-learning anomaly-based web application firewall
TWI648650B (zh) 閘道裝置、其惡意網域與受駭主機的偵測方法及非暫態電腦可讀取媒體
KR20080052097A (en) Harmful web site filtering method and apparatus using web structural information
TW201824047A (en) Attack request determination method, apparatus and server
CN106888211A (en) The detection method and device of a kind of network attack
CN104113525A (en) Method and apparatus for defending resource consumption type Web attacks
JP2020140723A (en) Network attack defense system and method
Nisar et al. Incentivizing censorship measurements via circumvention

Legal Events

Date Code Title Description
PB01 Publication
C06 Publication
SE01 Entry into force of request for substantive examination
C10 Entry into substantive examination
GR01 Patent grant
C14 Grant of patent or utility model